[Oisf-users] Detect problem with http_header

Martin Holste mcholste at gmail.com
Thu Dec 29 17:16:59 UTC 2011 

Are request headers completely unparsed at the moment with HTPlib?  I
would think that the intensive work is already done anyway by HTPlib,
regardless of pattern matching.  I think that the keyword should work
the same way it does in Snort, as I see little advantage to verbosely
specifying the direction, since the stream direction already does
that.

One thing to consider that would be a major improvement over Snort
would be to actually parse the headers (again, I'm assuming that
HTPlib already does this) so you could specify a normalized header is
present, like this:
content:"asdf"; http_user_agent;

That would be a HUGE win, and I don't think it would be nearly as much
work as you'd think, since HTPlib should be doing that parsing
already.  The main work would be adding all the keywords in, but I
think we can all agree that it would be worth it because so many
signatures rely on searching specific header values.

On Thu, Dec 29, 2011 at 10:00 AM, Anoop Saldanha <poonaatsoc at gmail.com> wrote:
> On Sat, Dec 24, 2011 at 9:32 PM, Martin Holste <mcholste at gmail.com> wrote:
>> Ok, opened 389.  Happy holidays to all as well!
>>
>> On Sat, Dec 24, 2011 at 8:31 AM, Victor Julien <victor at inliniac.net> wrote:
>>> On 12/23/2011 07:59 PM, Martin Holste wrote:
>>>> I'm trying to get a signature to work which is looking for a specific
>>>> server response HTTP header, namely:
>>>> content:"|0d 0a|Content-Disposition: attachment|3b| filename=";
>>>> If I add "http_header" as a modifier, it doesn't hit.  Client stuff
>>>> seems to work fine.  I'm using the default libhtp config.
>>>> Suggestions?
>>>
>>> A quick look at code shows what the problem is: in our implementation
>>> http_header currently only inspects the request headers. Please open a
>>> feature request!
>>>
>>> Happy holidays everyone!
>>>
>>> --
>>> ---------------------------------------------
>>> Victor Julien
>>> http://www.inliniac.net/
>>> PGP: http://www.inliniac.net/victorjulien.asc
>>> ---------------------------------------------
>>>
>>> _______________________________________________
>>> Oisf-users mailing list
>>> Oisf-users at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Wondering if it makes sense to introduce explicit keyword based
> option for response header inspection,
>
> http_header<,type>;
> http_raw_header<,type>;
>
> where type - request;
>                   - response;
>
> if no type's specified we default to just request or both maybe.
>
> --OR--
>
> we inspect both request and response headers always.
>
> --
> Anoop Saldanha

More information about the Oisf-users mailing list